Q&A: State privacy laws and HIPAA

Q. My hospital recently purchased a clinic group that includes offices across the state line. My understanding has been that when state patient privacy laws are stricter than HIPAA, the state law should be given precedence, but is this still good practice for a multi-state group? If we apply a universal privacy and information security policy to the organization, should we use only HIPAA as the benchmark or whichever of the state laws prescribes a higher level of privacy and security?

A. The federal HIPAA Privacy Rule does not automatically preempt or supersede state privacy laws. State laws take precedence when they offer a higher level of privacy protection or the state provision is necessary for:

• Prevention of fraud and abuse
• Appropriate state regulation of insurance and health plans
• State reporting on healthcare delivery or costs
• Addressing controlled substances
• Public health reporting or investigation of diseases, injuries, births, deaths, or child abuse
• Health plan reporting for financial audits or program monitoring
• Facility or individual licensure or certification

Bottom line: You must comply with both the federal Privacy Rule and applicable state laws and regulations.

Editor's note: This question was answered by Mary D. Brandt, MBA, RHIA, CHE, CHPS for Briefings on HIPAA. Brandt is a healthcare consultant specializing in healthcare regulatory compliance and operations improvement. She is also an advisory board member for BOH. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.